Site-to-site IPsec VPN with overlapping subnets

This recipe describes how to construct a site-to-site IPsecVPN connection between two networks with overlapping subnets, such that traffic will be directed to the correct address on the correct network, using Virtual IP addresses and static routes.

2. Add the Virtual IP Range on FGT_1

Select Virtual IP from the Create New drop down menu. Select IPv4 for the VIP Type and give the VIP an appropriate name.

Set the Interface to the IPsec VPN Site to Site interface from the drop down menu.

Set External IP Address/Range to a range in the subnet you will be redirecting from (10.21.101.1 – 10.21.101.254) and Mapped IP Address/Range to the internal network range (192.168.1.1 – 192.168.1.254).

Select OK.

3. Create the IPsec VPN tunnel on FGT_2

Go to VPN > IPsec > Wizard.

Select Site to Site – FortiGate. Give it an appropriate Name and click Next.

Set Remote Gateway to the IP address used by the Internet-facing interface of FGT_1. The Outgoing Interface will automatically populate.

Enter a Pre-shared key and click Next.

Set Local Interface to your Internet-facing interface. The Local Subnets will automatically populate. Set Remote Subnets to the VIP of the internal network for FGT_1 (10.21.101.0/24) and click Create.

The VPN Wizard automatically creates the required objects, policies, and static route required for the tunnel to function properly.

As before, you can verify the policy creation under Policy & Objects > Policy > IPv4.

4. Add the Virtual IP Range on FGT_2

Select Virtual IP from the Create New drop down menu. Select IPv4 for the VIP Type and give the VIP an appropriate name.

Set Interface to the IPsec VPN Site to Site interface from the drop down menu.

Set External IP Address/Range to a range in the subnet you will be redirecting from (10.31.101.1 – 10.31.101.254) and Mapped IP Address/Range to the internal network range (192.168.1.1 – 192.168.1.254).

Select OK.

5. Results

Go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site VPN and select Bring Up.

You will be able to see Incoming and Outgoing Data in the IPsec Monitor.

This site uses cookies. Some are essential to the operation of the site; others help us improve the user experience. By continuing to use the site, you consent to the use of these cookies.AcceptPrivacy policy